Share Article

Applied Security, Inc. (ASI), a Reston, VA network security company, offers three Digital Forensics Training courses created and conducted by Harlan Carvey: Windows Forensics Analysis, Timeline Analysis, and Registry Analysis. The courses are geared toward beginning and mid-level digital forensics analysts who are looking to expand their technical skills beyond vendor-based tools. Students are taught to think “outside the tool” to develop a goal-oriented approach specific to each forensics case. They then select and use the most appropriate techniques and open source tools to achieve those goals.

ASI’s interactive hands-on courses are scheduled through June 2013 at the company’s Reston, VA training facility. ASI will also take their courses on the road – a meeting room, video projection system and Internet connectivity are the only logistical requirements.

Harlan Carvey, ASI’s Chief Forensic Scientist, teaches all three of ASI’s digital forensics classes. Harlan a well-known expert in the field and is the author of several acclaimed publications on digital forensics analysis. Most recently Harlan published Windows Forensic Analysis Toolkit (3/e 2012, Syngress) a follow-on to his book Digital Forensics with Open Source Tools (2/e 2009, 1/e 2007, Syngress) written with Cory Altheide. Harlan’s book Windows Registry Forensics is one of the definitive works on the subject and his tool RegRipper is a defacto standard for most digital forensics toolkits. Harlan Carvey regularly appears as a speaker and lecturer at conferences and technical forums. Most recently Harlan spoke at the SANS Summit 2012, the 2012 Open Source Digital Forensics Conference, and Paraben’s Forensics Innovations Conference 2012. Harlan blogs regularly at Windows Incident Response.

Windows Forensic Analysis is a two-day (16 hour) course offered January 14-16, March 11-12, and May 13-14. The course provides attendees with an understanding of the Windows operating system from a forensic analyst’s perspective by reviewing the internal data structures and interdependencies between system and user activity. The exercises and examples used in this course are built for Windows 7, but the lessons learned apply across all platforms.

Windows Forensic Analysis students learn techniques to collect, collate, and interpret data from both routine and obscure sources within a forensics image. Discussion includes use of tools and techniques for cases involving the “Trojan Defense” (where malware is blamed for observed suspicious activity), locating previously undetected malware, attempts to mask or hide user activities from forensic analysis, and other instances of questionable user activity. These discussions are reinforced by using the tools and methodologies in practical forensics exercises with increasingly complex goals.

Timeline Analysis is a two-day (16 hour) course offered February 4-5, April 8-9, and June 10-11. The course provides a solid foundation in the purpose and practice of conducting a comprehensive timeline analysis to uncover activities associated with a cyber-security incident. Instruction covers the various sources and formats of time-stamped data available on Windows systems and the events that can affect that data. The techniques and free/open source tools available for extracting and compiling this information into a timeline are also reviewed.

Timeline Analysis instructor Harlan Carvey is one of the primary developers and promoters of the timeline analysis technique within the Digital Forensics and Incident Response (DFIR) community. He discusses in-depth, practical analysis methodologies essential for interpreting and qualifying timeline information and demonstrates how to find pivot points within the data. These pivot points then become the center around which other data artifacts are time-correlated and interpreted to develop a comprehensive timeline for an incident.

Time Line Analysis lessons are reinforced with intensive practical lab exercises. In the lab, students are presented with a Windows host image and investigation goals. Using their open source toolkit and analytical techniques learned in the class, students develop their own timeline of a forensics event from the provided host image.

Registry Analysis is a one-day (8 hour) course offered December 10, 2012 and as part of a back-to-back offering with Windows Forensics Analysis on January 14-16, 2013. The course provides a thorough understanding of the Windows Registry, from a binary and an analytic perspective. Discussion focuses on the binary structure of the Registry, how operating systems make use of the Registry, and on free and open source tools for monitoring, examining and extracting pertinent data from the Registry (including deleted keys and values).

Course material for all three courses may be tailored to the specific needs and experience levels of participants and alternate times may be available upon request. Prospective students can contact ASI to register for classes.